Posts tagged: Tor

The TOR project is about to join the world of secure instant messaging, laying out a roadmap that would see its first code for a new project delivered by the end of March 2014.

The first aim of the Tor Instant Messaging Bundle will be to get experimental builds happening with Instantbird providing the messaging interface.

As explained, Instantbird was considered to be the best of the three messaging platforms considered by the TOR people. Pidgin/libpurple and xmpp-client were also looked at but didn’t make the cut.

The developers’ “mild preference” for Instantbird is tempered by a couple of open questions. One is what attack profile it presents to the outside world; the other, its OTR support, is being addressed by the TOR developers. Libpurple, which is currenly an Instantbird dependency, is being removed.

As this document notes, the group also plans to have the Tor Instant Messaging Bundle audited so “people in countries where communication for the purpose of activism is met with intimidation, violence, and prosecution will be able to avoid the scrutiny of criminal cartels, corrupt officials, and authoritarian governments.”

With Facebook’s recent US$16bn takeover of the messaging service that has more than 450m monthly users, some of the more worried corners of the online communities have questioned the move and whether this will mean their messages will become more susceptible to being monitored, something Facebook has been accused of in the past.

In August 2013, 4 million infected computers woke up and waited instructions from their master.

The pathogen was Sefnit, a nasty bit of malware that makes infected computers mine bitcoins. Once the computers woke up, they worked under the command of Ukranian and Israeli hackers named Scorpion and Dekadent. The malware communicated with the two by downloading Tor, the powerful anonymizing software, and talking over encrypted channels. It was the first time a botnet, as a collection of slave computers is called, used Tor in such a potentially powerful way.

By using an unconventional method to exploit Windows, the hackers unwittingly forced Microsoft to show a hand few knew it had: The ability to remotely remove progams en masse from people’s computers, without them even knowing it.

All of a sudden, the anonymous network grew from about 1 million users to 5.5 million, a jump that frightened even Tor’s developers.

“If this had been a real attacker, if the botnet had been turned against the Tor network, it probably would have been fatal, I think,” developer Jacob Appelbaum said in a speech at the Chaos Communication Congress in December.

On one level, Sefnit’s use of Tor was a mistake. That surge in users brought unwanted attention to the botnet at a time of heightened interested in the Tor network. And the malware, which has existed in various versions of Tor since 2009, specifically targeted Windows users, a fact that got Microsoft’s attention quickly.

To fight back, Microsoft remotely removed the program from as many computers as it could, along with the Tor clients it used.

“That’s a lot of power that Microsoft has there,” Applebaum continued, raising his voice and laughing at the implications. “If you’re using Windows trying to be anonymous, word to the wise: Bad idea.”

It’s no small thing that Microsoft has the ability to reach into certain Windows installations and tear out the parts they deem dangerous, but Andrew Lewman, Tor’s executive director, says there’s little to worry about in this case.

“It sounds scary,” Lewman concluded, “until you realize users opt-in for the most part and agree to have their OS kept ‘secure’ by Microsoft.”

So, yes, Microsoft has the ability to reach into certain computers and delete programs. But, Lewman says, this is the way it’s always been—as long as the user agrees to it first.

Multiple vulnerabilities have been found in Tor, the most severe of which may allow a remote attacker to execute arbitrary code.

Multiple vulnerabilities have been discovered in Tor:

When configured as client or bridge, Tor uses the same TLS certificate chain for all outgoing connections (CVE-2011-2768).

When configured as a bridge, Tor relays can distinguish incoming bridge connections from client connections (CVE-2011-2769).

An error in or/buffers.c could result in a heap-based buffer overflow (CVE-2011-2778).

Impact:
A remote attacker could possibly execute arbitrary code or cause a Denial of Service. Furthermore, a remote relay the user is directly connected to may be able to disclose anonymous information about that user or enumerate bridges in the user’s connection.